auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the AutoConfig.InitialConfiguration endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [GH-14577]
connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the ConnectCA.Sign endpoint. The endpoint now only allows for exactly one SAN URI to be specified. [GH-14579]
IMPROVEMENTS:
metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics [GH-14161]
snapshot agent: (Enterprise only) Add support for path-based addressing when using s3 backend.
BUG FIXES:
ca: Fixed a bug with the Vault CA provider where the intermediate PKI mount and leaf cert role were not being updated when the CA configuration was changed. [GH-14516]
cli: When launching a sidecar proxy with consul connect envoy or consul connect proxy, the -sidecar-for service ID argument is now treated as case-insensitive. [GH-14034]
connect: Fixed a bug where old root CAs would be removed from the primary datacenter after switching providers and restarting the cluster. [GH-14598]
connect: Fixed an issue where intermediate certificates could build up in the root CA because they were never being pruned after expiring. [GH-14429]
rpc: Adds a deadline to client RPC calls, so that streams will no longer hang
indefinitely in unstable network conditions. [GH-8504] [GH-11500]
rpc: Adds max jitter to client deadlines to prevent i/o deadline errors on blocking queries [GH-14233]
v1.11.8
1.11.8 (August 11, 2022)
BUG FIXES:
connect: Fixed a goroutine/memory leak that would occur when using the ingress gateway. [GH-13847]
connect: Ingress gateways with a wildcard service entry should no longer pick up non-connect services as upstreams.
connect: Terminating gateways with a wildcard service entry should no longer pick up connect services as upstreams. [GH-13958]
ca: If using Vault as the service mesh CA provider, the Vault policy used by Consul now requires the update capability on the intermediate PKI's tune mount configuration endpoint, such as /sys/mounts/connect_inter/tune. The breaking nature of this change is resolved in 1.11.11. Refer to upgrade guidance for more information.
SECURITY:
auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the AutoConfig.InitialConfiguration endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [GH-14577]
connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the ConnectCA.Sign endpoint. The endpoint now only allows for exactly one SAN URI to be specified. [GH-14579]
IMPROVEMENTS:
metrics: add labels of segment, partition, network area, network (lan or wan) to serf and memberlist metrics [GH-14161]
snapshot agent: (Enterprise only) Add support for path-based addressing when using s3 backend.
BUG FIXES:
ca: Fixed a bug with the Vault CA provider where the intermediate PKI mount and leaf cert role were not being updated when the CA configuration was changed. [GH-14516]
cli: When launching a sidecar proxy with consul connect envoy or consul connect proxy, the -sidecar-for service ID argument is now treated as case-insensitive. [GH-14034]
connect: Fixed a bug where old root CAs would be removed from the primary datacenter after switching providers and restarting the cluster. [GH-14598]
connect: Fixed an issue where intermediate certificates could build up in the root CA because they were never being pruned after expiring. [GH-14429]
rpc: Adds a deadline to client RPC calls, so that streams will no longer hang
indefinitely in unstable network conditions. [GH-8504] [GH-11500]
rpc: Adds max jitter to client deadlines to prevent i/o deadline errors on blocking queries [GH-14233]
1.13.1 (August 11, 2022)
BUG FIXES:
agent: Fixed a compatibility issue when restoring snapshots from pre-1.13.0 versions of Consul [GH-14107] [GH-14149]
connect: Fixed some spurious issues during peering establishment when a follower is dialed [GH-14119]
1.12.4 (August 11, 2022)
BUG FIXES:
cli: when acl token read is used with the -self and -expanded flags, return an error instead of panicking [GH-13787]
connect: Fixed a goroutine/memory leak that would occur when using the ingress gateway. [GH-13847]
connect: Ingress gateways with a wildcard service entry should no longer pick up non-connect services as upstreams.
connect: Terminating gateways with a wildcard service entry should no longer pick up connect services as upstreams. [GH-13958]
ui: Fixes an issue where client side validation errors were not showing in certain areas [GH-14021]
1.11.8 (August 11, 2022)
BUG FIXES:
connect: Fixed a goroutine/memory leak that would occur when using the ingress gateway. [GH-13847]
connect: Ingress gateways with a wildcard service entry should no longer pick up non-connect services as upstreams.
connect: Terminating gateways with a wildcard service entry should no longer pick up connect services as upstreams. [GH-13958]
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hpcng/nomad-driver-singularity/network/alerts).
Bumps github.com/hashicorp/consul from 1.0.7 to 1.11.9.
Release notes
Sourced from github.com/hashicorp/consul's releases.
... (truncated)
Changelog
Sourced from github.com/hashicorp/consul's changelog.
... (truncated)
Commits
716c835Stage 1.11.9a598243backport of commit 546f1ec634297d1453c37118654a449ce97992db (#14664)d7d1932Merge pull request #14660 from hashicorp/backport/docs/search-metadata-header...ace98caMerge pull request #14656 from hashicorp/docs/search-metadata-headersbf33647no-op commit due to failed cherry-picking3583279Backport of docs: Search Description Refresh into release/1.11.x (#14648)5bb87c0Backport of connect/ca: Don't discard old roots on primaryInitialize into rel...cdb4473Merge pull request #14645 from hashicorp/docs/hot-fix-1-11release629d2c4fix merge conflict markings9f7c398Merge pull request #14626 from hashicorp/backport/docs/what-is-consul-devdot-...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hpcng/nomad-driver-singularity/network/alerts).